9 March 2016
Mr. President, Distinguished Representatives, Ladies and Gentlemen,
It is with great honour that I address this Council, for the very first time, in my capacity as United Nations Special Rapporteur on the right to privacy.
Since my appointment last July, I have been impressed by the overwhelmingly warm and enthusiastic support my mandate has received across the board. My task is immense and expectations are high. Privacy has never been more at the forefront of political, judicial and individual consciousness than in 2016.
At the outset of this dialogue, and in line with the wording of resolution 28/16 adopted in this room, I would like to put particular emphasis on the necessity to listen carefully to all stakeholders in all regions of the world and to all parts of society while carrying out the mandate.
To develop a deeper and more universal understanding of the right to privacy on a global level, it is crucial to blend in all perspectives, cultural backgrounds and concerns. At the same time and in order to ensure a fruitful outcome of this process, it is critical to respect and promote the substantive core of the right to privacy throughout the entire global community.
Mr. President and distinguished delegates,
I am pleased to present you with my first report which attempts at describing my vision of the mandate together with the working methods I have adopted to carry out the task. The report provides an insight into the state of privacy at the beginning of 2016 and a work plan for the first three years of the mandate.
The section of the report devoted to the working methods of the mandate includes the outlines of seven areas of concern which are expected to form separate though interlinked thematic studies:
- Privacy and Personality across cultures
- Corporate on-line business models and personal data use
- Security, surveillance, proportionality and cyberpeace
- Open data and Big Data analytics: the impact on privacy
- Genetics and privacy
- Privacy, dignity and reputation
- Biometrics and privacy
While the concept of privacy is known in all human societies and cultures at all stages of development and throughout all of the known history of humankind it has to be pointed out that there is no binding and universally accepted definition of privacy. To understand the right better it is necessary to think of it from two perspectives. First, it should be considered what the positive core of the right encompasses. Secondly, the question arises how to delimit the right in the form of a negative definition.
As reaffirmed by the Human Rights Council in resolution 28/16, article 12 of the Universal Declaration of Human Rights (UDHR) and article 17 of the International Covenant on Civil and Political Rights (ICCPR) constitute the basis of the right to privacy in international human rights law. Taken together with a number of other international and national legal instruments including constitutions and ad-hoc legislation, this means that there exists world-wide, a considerable legal framework which can be useful to the protection and promotion of privacy. The existence and usefulness of this legal framework is however seriously handicapped by the lack of a universally agreed and accepted definition of privacy.
My report argues that for the foundations of “the privacy house” to be strong and fit- for-purpose we first need to establish a re-freshened understanding of what privacy means to different people in different places across the planet. This therefore would primafacieseem to be not only a fundamentally important task but also a priority task of my mandate.
When launching the debate on the understanding of what privacy is and should be in 2016, I wish to focus on fundamentals and for that, it is my intention to provocatively posit privacy as being an enabling right as opposed to being an end in itself.
Several countries around the world have identified an over-arching fundamental right to dignity and the free, unhindered development of one’s personality. I would argue that a) such a right to dignity and the free, unhindered development of one’s personality should be considered to be universally applicable and b) that already-recognised rights such as privacy, freedom of expression and freedom of access to information constitute a tripod of enabling rights which are best considered in the context of their usefulness in enabling a human being to develop his or her personality in the freest of manners.
Positing privacy in the context of a wider debate about the fundamental right to dignity and the free, unhindered development of one’s personality reflects the realities of life in the digital age.
The tripod of enabling rights – privacy, freedom of expression and freedom of access to information – existed before the advent of digital technologies. So did the right to dignity and the free, unhindered development of one’s personality. Digital technology has however resulted in a huge impact on these rights both off-line and on-line where, today, netizens generate tens of thousands of more data-sets about themselves than they did two decades ago. Mobile devices and converging technologies such as mobile smart phones - where telephony, the Internet and photography converge - create a new way of life, new comforts and new expectations both in terms of convenience as well as for privacy.
The question arises however, if this informational convergence where loads of personal data relating to us can be created, stored and analysed easily, is potentially dangerous for privacy and human dignity. Who can be confronted with his or her past potentially at all times will find it hard to develop a future. Who cannot find out aspects about the past of other people cannot learn and form an opinion. We need to find and strike a new balance.
Potentially, we might have reached a stage of development where we need to allow for several niches of data processing to be available for one individual at the same time in order to enable humans to develop a certain set of characteristics in certain environments. We need to develop further technology as well as the legal framework on all levels in order to ensure that human dignity remains at the centre of societal development.
One of the necessities I outline in my report is to develop “safeguards without borders” and “remedies across borders”. As recent judgments by Human Rights Courts I included in my report have shown individuals crave to have their privacy more strongly protected. It is the duty of states to protect the fundamental rights of their citizens against illegitimate and disproportionate infringements. It does not matter whether these dangers come from authorities within the states themselves or corporations who use personal data to create economic profits. There is a responsibility states have to take up and address accordingly in order to protect privacy.
Additionally, the cross-border dimension of modern information technology, especially when it comes to the control and governance of international data flows, make it clear that there is a need for a common approach to these developments. Traditionally, when states want to create trust in their relationships in international public law they refer to the principle of reciprocity. To promote privacy in the digital age we need to ensure trust in technology on an international scale. This trust must first of all be based on the mutual promotion of human dignity. As long as certain actors in cyberspace do not respect the basic fundamental rights of netizens, the right to privacy will not be sufficiently protected. The already mentioned tripod of enabling rights – privacy, freedom of expression and freedom of access to information – will not be able to develop its full potential for the benefit of humankind.
Mr. President and distinguished delegates,
In order to facilitate the process of further elaboration on the dimensions of the right to privacy and its relationship with other human rights I have developed an outline Ten Point Action plan. It should be kept in mind that the points mentioned in the plan are brought forward in no particular order and do not imply a specifically prioritised working programme. I understand this function as the one of a pathfinder. The aim is to seek a way forward while at the same time identifying urgent issues to be tackled or reacting to the needs of individuals or of countries who require urgent work in the sector of responsibility. The Ten Point Action Plan below is a to do list and not a mere wish-list. I have embarked on each of the ten points below but naturally at the speed dictated by time-availability and resource constraints.
The first point is entitled Goingbeyondthe existing legal concept to a deeper understanding of what it is that we have pledged to protect: There is a need to work on developing a better, more detailed and more universal understanding of what is meant by “the right to privacy”. What does it mean and what should it mean in the 21st century? How can it be better protected in the digital age? Activities will be organised and research will be supported to examine possible answers to these key questions which will help provide essential foundations for other parts of the action plan.
The second point aims at Increasing awareness: We need to develop greater awareness amongst citizens in order to help them understand what privacy is. It is important to have a general discourse on what their privacy rights are, how their privacy may be infringed upon especially by new technologies and by their behaviour in cyberspace. They need to learn on how their personal data has been monetised and what are the existing safeguards and remedies. What can they do to minimize privacy risk and how can they interact with their law-makers and the corporate sector to improve privacy protection? This creation of awareness is a massive task in its own right, and I will contribute to this awareness-raising throughout on-going engagement with all stakeholders and especially civil society for the entire duration of his mandate.
Thirdly, the creation of a structured, on-going dialogue about privacy is necessary. The establishment of a more structured, more open, more comprehensive, more effective and most importantly permanent dialogue between the different stakeholders is crucial. In order to achieve the protection of privacy bridges are required and need to be built. I would like to put great emphasis on this activity and will use existing fora as well as creating new fora. To be included are particularly the facilitating of a structured dialogue between Non- Governmental Organizations, Data Protection and Privacy Commissioners, Law Enforcement Agencies (LEAs) and Security and Intelligence Services (SIS). It is essential to work with all classes of stakeholders in order to improve internal procedures, increase the level of privacy by design in the technologies they deploy and the procedures they follow. It is important to maximise transparency and accountability and reinforce impartial and effective oversight to the point where it becomes significantly more effective and credible.
The fourth point deals with a comprehensive approach to legal, procedural and operational safeguards and remedies: Appropriate safeguards and effective remedies have been part of the “raison d’etre” of data protection law since its inception aimed at providing guidance and protection at the correct level of detail required in a world rendered more complex by constant technological change. Clearer and more effective protection for citizens should be provided in order to prevent the infringement of privacy. Real remedies need to be available to all concerned in those cases where an infringement actually occurs.
Fifthly, renewed emphasis on technical safeguards is necessary: The safeguards and remedies available to citizens cannot ever be purely legal or operational. Law alone is not enough. I will continue to engage with the technical community in an effort to promote the development of effective technical safeguards including encryption, overlay software and various other technical solutions where privacy-by-design is genuinely put into practice.
Let me add to this as a sixth point a specially-focused dialogue with the corporate world. An increasing number of corporations today already gather much more personal data than most governments ever can or will. What are the acceptable alternatives to or the key modifications that society should expect from current business models where personal data has been heavily monetised? Which are the safeguards applicable in cases where data held by private corporations are requested by state authorities? This dimension of the mandate requires much time and attention.
Point number seven aims at promoting national and regional developments in privacy-protection mechanisms. The value of national and regional developments in privacy- protection mechanisms should be appreciated more at the global level. As mandate holder I plan to working in close co-operation with Data Protection and Privacy Commissioners world-wide. Through mutual cooperation and dialogue the global standards of privacy protection could be raised significantly. I have already commenced a series of global activities planned and executed with Data Protection Authorities world-wide. These include events planned for Australia, Morocco, New Zealand, Northern Ireland and Tunisia for 2016 with many others in the pipeline for future years.
Point number eight is harnessing the energy and influence of civil society. Having already met with representatives of over forty NGOs during my first six months in office, I intend to continue dedicating considerable time to listening to and working with those representatives of civil society who are putting in so much effort to better protect privacy world-wide.
Point number nine looks closer at Cyberspace, Cyber-privacy, Cyber-espionage, Cyberwar and Cyberpeace. The global community needs to be inquisitive, frank and open about what is really going on in cyberspace, including the realities of mass surveillance, cyber-espionage and cyberwar. Tackling these realities will build upon the results of other action points outlined in my report as well as the results of the thematic studies you find in my report. I expect these issues to be a constant feature of a number of future reports as well as in many of the country visits. However, I hope to play a constructive role in improving the protection of privacy in the digital age.
Last but not least, point ten suggests an investigation of further in International Law. While law alone is not enough it is very important. The potential for development of international law relevant to privacy should be explored in all forms and I am open to examining the value of any legal instrument irrespective of whether this is classed as soft law or hard law. A priority issue such as up-dating legal instruments through an expanded understanding of what is meant by the right to privacy would seem to be an essential starting point.
Mr. President, Distinguished Representatives, Ladies and Gentlemen,
I understand the mandate entrusted to me as a historic chance to protect human dignity in the digital age while providing the basis for society to be able to grow and reap the fruits of technological development. In order to succeed, a sincere commitment is required by all parts of society, and particularly member states, corporations and individuals. I count on the cooperation of the States represented in this room and beyond to give life to the full protection of the right to privacy.
Let me finally once more invite you all to take part in discovering and shaping the right to privacy in the Digital Age. The passion for this right has kept me discovering new aspects of privacy for about thirty years now and I still feel like we as a global community are only about to start this process. By moving forward with the actions I laid down in my ten point plan we can enable people all over the world to live better lives. The development of technology is one of the biggest opportunities we have to actually make a difference and improve.
I thank you for your attention and look forward to a fruitful and constructive dialogue with you!